Created
February 12, 2023 07:44
-
-
Save dyrnq/aebefacf9030bbc0e29dbab45c5e6ff1 to your computer and use it in GitHub Desktop.
iptables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| iptables -t filter -N KUBE-FIREWALL | |
| iptables -t filter -N KUBE-FORWARD | |
| ipset create KUBE-HEALTH-CHECK-NODE-PORT bitmap:port range 0-65535 | |
| iptables -t filter -N KUBE-KUBELET-CANARY | |
| iptables -t filter -N KUBE-NODE-PORT | |
| iptables -t filter -A INPUT -j KUBE-FIREWALL | |
| iptables -t filter -A OUTPUT -j KUBE-FIREWALL | |
| iptables -t filter -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP | |
| iptables -t filter -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP | |
| iptables -t filter -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT | |
| iptables -t filter -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| iptables -t filter -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| iptables -t filter -A KUBE-NODE-PORT -m comment --comment "Kubernetes health check node port" -m set --match-set KUBE-HEALTH-CHECK-NODE-PORT dst -j ACCEPT | |
| ipset create KUBE-CLUSTER-IP hash:ip,port family inet hashsize 1024 maxelem 65536 | |
| iptables -t nat -N KUBE-FIREWALL | |
| iptables -t nat -N KUBE-KUBELET-CANARY | |
| iptables -t nat -N KUBE-LOAD-BALANCER | |
| iptables -t nat -N KUBE-MARK-DROP | |
| iptables -t nat -N KUBE-MARK-MASQ | |
| iptables -t nat -N KUBE-NODE-PORT | |
| iptables -t nat -N KUBE-POSTROUTING | |
| iptables -t nat -N KUBE-SERVICES | |
| iptables -t nat -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| iptables -t nat -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
| iptables -t nat -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
| iptables -t nat -A KUBE-FIREWALL -j KUBE-MARK-DROP | |
| iptables -t nat -A KUBE-LOAD-BALANCER -j KUBE-MARK-MASQ | |
| iptables -t nat -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 | |
| iptables -t nat -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 | |
| iptables -t nat -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN | |
| iptables -t nat -A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0 | |
| iptables -t nat -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully | |
| iptables -t nat -A KUBE-SERVICES ! -s 10.244.0.0/16 -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ | |
| iptables -t nat -A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT | |
| iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment